📅 Original date posted:2016-01-08
📝 Original message:Pieter Wuille via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org>
writes:
> Yes, this is what I worry about. We're constructing a 2-of-2 multisig
> escrow in a contract. I reveal my public key A, you do a 80-bit search for
> B and C such that H(A and B) = H(B and C). You tell me your keys B, and I
> happily send to H(A and B), which you steal with H(B and C).
FWIW, this attack would effect the current lightning-network "deployable
lightning" design at channel establishment; we reveal our pubkey in the
opening packet (which is used to redeem a P2SH using normal 2of2).
At least you need to grind before replying (which will presumably time
out), rather than being able to do it once the channel is open.
We could pre-commit by exchanging hashes of pubkeys first, but contracts
on bitcoin are hard enough to get right that I'm reluctant to add more
hoops.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 17:31:35
in reply to nevent1q…90v7
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 17:31:35Event JSON
{
"id": "1fda9d9091d06ccd60da34c624ad448b6d76a4969e80f796c7fdcf1d1b6ee213",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686159095,
"kind": 1,
"tags": [
[
"e",
"39ee3b2141e39cb356bf3e8afab144a2e0bb0b6fbad76c57e6fb52dd7fe45506",
"",
"root"
],
[
"e",
"f84c21a7caf030b828fb4f0060881b03c84e4bc2f45eb570b982492ade9174b1",
"",
"reply"
],
[
"p",
"79da9465d0e005bd619ff8b66831e69cf4518e5322281ec55df2bd63966dbc4c"
]
],
"content": "📅 Original date posted:2016-01-08\n📝 Original message:Pieter Wuille via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e\nwrites:\n\u003e Yes, this is what I worry about. We're constructing a 2-of-2 multisig\n\u003e escrow in a contract. I reveal my public key A, you do a 80-bit search for\n\u003e B and C such that H(A and B) = H(B and C). You tell me your keys B, and I\n\u003e happily send to H(A and B), which you steal with H(B and C).\n\nFWIW, this attack would effect the current lightning-network \"deployable\nlightning\" design at channel establishment; we reveal our pubkey in the\nopening packet (which is used to redeem a P2SH using normal 2of2).\n\nAt least you need to grind before replying (which will presumably time\nout), rather than being able to do it once the channel is open.\n\nWe could pre-commit by exchanging hashes of pubkeys first, but contracts\non bitcoin are hard enough to get right that I'm reluctant to add more\nhoops.\n\nCheers,\nRusty.",
"sig": "58bfed18b2bb68e7eac18931e200ed085bf13bf6808e4b89494f8d8d7937d8c7bc106dc5b8bcfb39ed7cc1e87abd32929043bee802a1b3a5e5c445e7211e8738"
}